rules:
  - id: {{ check_id }}
    message: | 
      Found a formatted template string passed to '{{ sink }}()'.
      '{{ sink }}()' does not escape contents. Be absolutely sure
      there is no user-controlled data in this template.
    languages: [go]
    severity: WARNING
    patterns:
      - pattern-either:
          - pattern: {{ sink }}($T + $X, ...)
          - pattern: {{ sink }}(fmt.$P("...", ...), ...)
          - pattern: |
              $T = "..."
              ...
              $T = $FXN(..., $T, ...)
              ...
              $A = {{ sink }}($T, ...)
          - pattern: |
              $T = "..."
              ...
              $T = $FXN(..., $T, ...)
              ...
              return {{ sink }}($T, ...)
          - pattern: |
              $T = $X + $Y
              ...
              $A = {{ sink }}($T, ...)
          - pattern: |
              $T = fmt.$P("...", ...)
              ...
              $A = {{ sink }}($T, ...)
          - pattern: |
              $T, $ERR = fmt.$P("...", ...)
              ...
              $A = {{ sink }}($T, ...)
          - pattern: |
              $T = fmt.$P("...", ...)
              ...
              return {{ sink }}($T, ...)
          - pattern: |
              $T, $ERR = fmt.$P("...", ...)
              ...
              return {{ sink }}($T, ...)
          - pattern: |
              $T = $X + $Y
              ...
              return {{ sink }}($T, ...)
          - pattern: |
              $T = "..."
              ...
              $OTHER, $ERR = fmt.$P(..., $T, ...)
              ...
              $A = {{ sink }}($OTHER, ...)
          - pattern: |
              $T = "..."
              ...
              $OTHER, $ERR = fmt.$P(..., $T, ...)
              ...
              return {{ sink }}($OTHER, ...)